A timing side-channel vulnerability in Linux-PAM (through version 1.7.2) allows an attacker to recover plaintext passwords by measuring subtle differences in authentication response times. The flaw exists in the pam_userdb module when configured to store credentials in plaintext — a non-default but valid configuration. By repeatedly probing an exposed authentication service, an attacker can deduce the password length and individual characters byte by byte.

Security Architect’s Take: Audit all Linux-based workloads and container images in your Azure environment for PAM configurations using pam_userdb with crypt=none or without a crypt= argument, and remediate by enforcing hashed credential storage. Where pam_userdb is in use at all, consider replacing it with a more robust authentication backend and restrict network-adjacent access to any service that calls into PAM until patched packages are available.

Original advisory: CVE-2026-54411 Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module’s plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate’s length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.